HP delays patch, slams down threat instead

By
08.01.2002 :: 9:07AM EST

SnoSoft, a research group, has been served with a letter from Hewlett-Packard because of the group's discovery of a security hole in Tru64 Unix, a UNIX variant which HP now owns (due to its purchase of Compaq). A researcher in the group calling himself “Phased” posted an exploit of the hole on Bugtraq; the letter from HP specifically states that the group has violated the DMCA (Digital Millennium Copyright Act) and other computer crime laws by posting the exploit, which (according to HP) allows HP to “reserve the right to sue for moneys and damages caused by the posting and use of the buffer overflow exploit.”

SnoSoft did, however, contact Security Focus, which hosts the Bugtraq list, and request that it remove the post from its site, stating that one of SnoSoft's members had released the exploit code “without following the rules.”

This appears to be the first time the DMCA has been used to put down computer-related research, and specifically research surrounding security-related bugs in software and operating systems. Critics say that if HP is allowed to sue SnoSoft for damages, or if the company convinces the DoJ to prosecute either SnoSoft (the research group) or Phased (the individual who released the exploit), it could set a precedent for crippling security-related computer research. Up to now, the DMCA has only been used to punish those who compromise copy-protection of either programs, documents, or digital entertainment content.

Although HP has yet to release a patch for the hole in its Tru64 Unix operating system, it did state in its letter to SnoSoft that the group's members could be fined up to US$500,000 and spend as much as 5 years in prison for releasing the exploit, which allows a Tru64 user to gain administrative rights on the system.

RON'S OPINION
And I thought Microsoft was the only company that would go to such low tactics to prevent itself from being embarrassed by holes in its code.

So what does HP hope to gain by stomping out a “loosely organized research collective?” A SnoSoft spokesman stated that the group had been talking with HP about this hole since early this spring, and also stated that this should have been more than enough time for the company to find a fix and release a patch. I have to say that I certainly agree. The Tru64 Unix operating system runs on mid-range to high-end server machines (AlphaServers), and large corporations and universities rely on these machines to be secure solutions for their high-end computing needs. To that end, HP/Compaq should make extra sure that any holes in this operating system are dealt with in an urgent fashion.

This is just another disturbing trend in the use of the DMCA, and for those who think there is a chance that the law will eventually be struck down, I would say that it is far from likely. The more time that passes, the more companies will find more creative ways to use the law for their own gain, and the more precedents will be set in the courts to give the DMCA power until all computer security research is snuffed out, all digital content/media is locked down, and we are allowed to buy only the “right” to use such content for a time, never really owning the media or the copy of the programs/content that we have bought. It will allow the large corporations to make huge amounts of money off of the work they didn't even do, leaving the actual creators with nothing. I could go on, but there's no use.

That said, we do need to petition our legislators, making sure they understand that they are hurting their own constituents by continuing to allow this law to exist, and stifling competition in the market as well. I'm not one to jump on a cause like this, and I don't know how far the HP threat will go, but I don't like it one bit, and I want the continual growth of security by obscurity stopped. Microsoft and HP are two of the largest corporations in the computer industry, and they can control and proliferate security by obscurity by using exactly these tactics.

USER COMMENTS 34 comment(s)

Free Speech(9:17am EST Thu Aug 01 2002)You mean, they used the DMCA to squelch a post on a public forum. Which is essentially squelching 'Free Speech'. Thus, HP's use of the DMCA clearly violates a constitutional right. – by ReaponWex

RE: Free Speech(9:20am EST Thu Aug 01 2002)Phased acted as a 'Whistleblower'. This is not illegal under the Whistleblower statute.. The DMCA is in direct opposition to a law that encourages someone to speak out about things such as this. – by Cranston

DCMA Text?(9:27am EST Thu Aug 01 2002)Could you please link to the exact text of the DCMA for reference? Also, could you link the the exploit? Additionally, do we know which portion of this Act the “potential lawsuit” is in reference to?Plus, let's remember two things about our legal system: 1) Ultimately the judges interpret laws. In this case, HP may be using this letter as a bullying system, as they know that no judge would interpret this law to have such far reaching effects. 2) It is much easier and common for a judge to determine within a court proceeding that a given law is unconstitutional than it is for a legistlator to renege on a law, especially ones that were created during his/her term. – by SDB

That's it(9:31am EST Thu Aug 01 2002)I'm moving to Holland where they try this kind of law out – and then rapidly retract the act when it's shown to be damaging to progress and public security…

It's gonna take U.S. congresspeople *how* long to remove the RIAA, M$, HP, MPAA Etc.'s hands from thier pockets!?– by Screw That!

re: SDB(9:36am EST Thu Aug 01 2002)Ask and ye shal recieve:

. – by Ziwiwiwiwiwiwiwiwiwi

Then Don't Tell The Company(9:37am EST Thu Aug 01 2002)If companies are going to complain about exploits in their software being publicly known, then how about no one tell the public about them anymore. And while we're at it, how about not letting the company itself know about it.

Despite the sarcasm of the last statement, it might actually work. If people kept their findings to themselves, hackers would eventually find these exploits on their own. By the time these hackers were done raping and pillaging servers with this poor-security software, no one would ever think to buy another product from the company that produces such software.

The point I am trying to make is that people attempt to perform a good deed and inform a company of a security hole before hackers can get to it, but that company spends months doing nothing to fix the security hole. Instead they would rather punish the person who finds the exploit. I guess no good deed goes unpunished. – by organgtool

Just Remember…(10:09am EST Thu Aug 01 2002)… I — am the boss of you! I — am the boss of YOU! I — AM the boss of you! I — am the BOSS of you!

And there will be no more magic in the kingdom! – by Froboz Electric

ReaponWex(10:13am EST Thu Aug 01 2002)Does free speech allow you to discover government top secrets, and then post them on a yahoo newsgroup? You would be tried for treason and espionage.

In the business world, the same rules apply, not because they truely protect individuals or society, but because the protect a companies bottom line. But the fact is that while you have the freedom to say whatever you like, along with that freedom is accepting responsability for what you say. I am tired of people using freedom of speech as an excuse for not accepting responsibility for what they have to say or do.

If you reveal company or government secrets, or violate the law, then regardless of you right to freedom of speech, you have to accept responsibility for the laws or copyrights that you violate, bottom line. And it doesn't matter if they are unjust or you don't agree with them.

We live in a society of rules and laws, and increasingly people seem to think they are above those rules because they don't like paying for consumer goods, or don't like the fact a company is maintaining proprietary intellectual properties and not sharing that information with them. If you don't like a rule or law, then there are official channels and procedures you can follow to being the process of changing that rule or law, but it will take time and patience. If, instead, you blatantly ignore and violate the law, then you have to be prepared to accept responsibility for your actions, not just wave the constitution at prosecutors.– by Topher

You would be tried for treason and espionage(10:42am EST Thu Aug 01 2002)Sometimes, sometimes not. It depends on how you obtained the information.

If you do the original research on a topic (say, DNA investigation of the flatworm), and publish it, then nothing has been done wrong. Even if the DNA structure of the flatworm has been marked “top secret”, there is nobody that would know that, and hence no way to know it WAS a secret.

In the case of someting like encryption, it was public knowlege that any encryption was to be treated as munitions, and hence export controled. Does that mean that the mathmetician that discovers a fast method of prime number search, is suddenly guilty of “treason and espionage” because he published his research? Sometimes – at this point he “knew” its application to cryptography (part of the field applications) and should have known better. – by old sampler

just dessert?(11:01am EST Thu Aug 01 2002)if HP has known about this for some time and has not issued a patch, perhaps they would be liable if a Tru64 was hacked using the exploit and significant damage was done? that would certainly be an interesting turn of events. – by perkypete

Ron hates MS(11:03am EST Thu Aug 01 2002)Take an article that has nothing to do with MS and Ron will bash them in his opinion. Doesn't matter that MS hasn't stooped to this level – Adobe has. But truth doesn't matter. Come on Ron – I'm suprised you didn't end your post with *nix is better! (oh wait, this is about a security flaw in unix… how could that happen) – by Robguy

Robguy(12:03pm EST Thu Aug 01 2002)I've only been reading his posts here for the last month or so, and have come to the conclusion that Ron hates anything that could reasonably be called a success.

Microsoft is bad, Intel is bad, HP is bad, any large corporation must be bad, success in business is bad.

In the struggle between the so called good and evil as postulated here in these forums, Ron picks the little guy every time. All's well 'til you get more than 12 employees it seems.

What makes it a bit sad though, is that many of those who read these opinionated opinions take his words at face value. Thereofre, Microsoft is bad, Intel is bad, HP is bad…… – by Buford Lamonte

I wish we had a consensus on this..(1:45pm EST Thu Aug 01 2002)– by Geekzilla

HP is bad?(1:48pm EST Thu Aug 01 2002)Ron didn't say HP was bad anywhere in his post. In fact, he seemed surprised that they did this. His remark about MS was unnecessary, agreed. However, anyone with a brain knows MS is bad…they've been found guilty of predatory business practices, and they obviously gouge consumers.

What HP is doing is bad, and that is what Ron takes issue with. I happen to agree that attacking the people who discover security flaws in your operating system is a stupid move. It makes you look like a baby. If people can't publish their findings about security holes, no one can be sure the OS they are using is safe.

If we don't allow these things to be released publicly, they will just be released in hacker channels, and we won't find out about them until 1000 hacks have occured, and someone in Russia takes a chance and tells the world.

HP has had plenty of time to fix the exploit, and has shown no interest in doing so. Maybe the exploit shouldn't have been released, but it's unacceptable to let HP just ignore the problem simply because the world doesn't know about it. Now they are attacking the people who told, when the whole thing could have been solved by fixing the damn exploit.– by Dan

Buford(2:19pm EST Thu Aug 01 2002)

You know, most of the time you tend to be a blowhard, but on this occasion I find myself actually agreeing with you.

Ron's opinions are here to be seen, free of charge. As usual, you get what you pay for.

Personally I think he's anti-business all the way. – by voOmp

Buford and voOmp(2:23pm EST Thu Aug 01 2002)He's a columnist. If this site is like most, it bases it's ad rates on page views.

You are incensed by his opinions or heartily agree, you come back like a good little yo-yo. Advertisters see how many people post, and they get hardons to send their shit to geek.com and advertise on here.

Ron is doing his job. This is how sub-humans like Ann Coulter, Laura Schlesinger and Rush Limbaugh got rich. – by Bob Dobbs

Ron(2:25pm EST Thu Aug 01 2002)Sorry, didn't mean to lump the geek.com staff in with those people. I was just citing the people most effective at it. You could just as well say Howard Stern, Michael Moore, and any other people. – by Bob Dobbs

This appears to be the first time (2:30pm EST Thu Aug 01 2002)What about Ed Felton? – by /sm

I thought Microsoft was the only company (2:34pm EST Thu Aug 01 2002)Nope, sorry to break it to you but they're ALL run by scoundrels, every single one of them.

You don't get to be president of the US or CEO of a major American corporation by playing fair.

Throught mankind's history, its worst people have been in power, from the Pharohs to Alexander, to Charlemaign, Napoleon, Louis XVI, RMNixon, Saddam Hussein, GWBush… need I go on? – by /sm

we do need to petition our legislators(2:36pm EST Thu Aug 01 2002)Send cash, that's the only language they understand – by /sm

Finding problems is 1…(2:41pm EST Thu Aug 01 2002)thing. Posting a way to hack is another. I hope they throw the book at them. HP has every right to defend its product. Everything is not a free speach argument, & we do have laws for a reason. – by tech

If I obtain a government secret because some idiot in the pentagon emailed it to me by mistake, then I am perfectly within my rights to blab as loudly as I wish.

If I break into CIA headquarters, steal secrets and blab, the blabbing isn't what was illegal, it was the breaking and entering.

Same goes for corporate secrets.

I don't believe that you are an idiot, I believe that you think all of us are, and I am offended. – by /sm

where is the pesticide??(2:44pm EST Thu Aug 01 2002)The end impact is that nobody will send in bugtracks and the software of these comapnies end up with large holes…And everybody shuts and do the exploit, largely deminishing the value of that software…

In the end these kind of laws will do more wrong than good to the ones making these laws…

I think they are a thief from their own purse should they persue this…

– by Bassie.

People wh o hate big companies…(3:02pm EST Thu Aug 01 2002)just because they are big and powerful are idiots.

If M$ was to attempt to sue (and they very well could afford it) every little script kiddie who exposes M$ security flaws, all the M$ haters would be all over it bashing the hell out of M$. As it stands, M$ does not sue, but rather tries to fix the problems (which are too many) but the M$ haters get all fussy-up-the-ass about that as well.

What's the use arguing with pinheads like that? – by Elitists Hater

Why…(3:05pm EST Thu Aug 01 2002)Why doesn't HP just stick to printers? Oh yeah, that's right. They suck too. Never buy a printer that has to do its processing on the computer's CPU.– by ArcherB

Elitists Hater(3:42pm EST Thu Aug 01 2002)People don't hate big companies because they are “big and powerful”, they hate big powerful companies because they abuse their size and power.

Abuses like donating millions to both candidates in a political race in a state where that company has no presence whatever. Why is this legal?

Because big business owns the politicians. Abuse of power.

Because these companies lie and steal. Because their CEOs and other leaders suck down ten million dollars in a year that ten thousand secretaries get laid off.

Show me a big powerful company that doesn't abuse its power, that treats its customers and stockholders alike fairly, that doesn't steal while calling its victims theives, and I'll show you a big powerful company that everybody loves. – by /sm

HP(4:41pm EST Thu Aug 01 2002)I don't think HP is wrong for coming down on SnoSoft, necessarily. Phased clearly broke the rules of his engagement with SnoSoft by posting the hole on Bugtraq. And, even though the DMCA is a nightmare, HP is clearly within its rights to clamp down.

However, my point up above was that HP is selling a product for which there is a known security hole and not providing a patch. I wonder if HP is even warning the users of Tru64 about the hole. Even though they are phasing out Tru64, I think the responsible thing to do is to warn customers and provide a patch. If they don't, I was wondering if HP is liable for damages if a system is hacked using Phased's exploit. Is it the same thing as a company selling a product that is know to be dangerous?

Corporations are not inherently evil, but there are corporate watchdogs for a reason. – by perkypete

To All You Geeks(5:47pm EST Thu Aug 01 2002)Don't you all realize that the DMCA gives us big corporations the power to stiffle the free speech of software security researchers, that we are going to sue you guys to silence so we don't have to secure our crappy software and that Congress was both stupid and bought by Hollywood to give us that power to pervert a law designed to protect copyprotected music, books, videos and games to mean nearly any type of software app? I'm just glad all we have to do is send our lawyers after you instead of having to spend all of that time actually improving our software . . .BigCorporateNiceGuy – by VPofCorporateTruth

Assh0le(6:29pm EST Thu Aug 01 2002)“Why… (3:05pm EST Thu Aug 01 2002)Why doesn't HP just stick to printers? Oh yeah, that's right. They suck too. Never buy a printer that has to do its processing on the computer's CPU.– by ArcherB”

If you actually knew what you were talking about, someone might listen.

HP printers are some of the best printers around. If you are complaining about your HP DeskJet using your CPU – what else is new. Many printers require CPU time. HP LaserJets generally use Motorola chips. (RISC). My LaserJet at home has a dedicated 133MHz RISC CPU. – by Jewsh

Not a question of free speech(6:31pm EST Thu Aug 01 2002)Does free speech allow you to discover government top secrets, and then post them on a yahoo newsgroup? You would be tried for treason and espionage.

Firstly, not here to flame anyone. Secondly the issue here is not free speech. If Superbigcompany X builds a patented scurity fence, sells it to thousands of consumers, pitching its security and then someone finds that each and every one of the fences has a flaw which would allow any one with the motor skills of a dead sloth entry, why the heck would Superbigcompany X have the right to sue that individual for telling people about the flaw? – by PCTech

PCTech(8:14pm EST Thu Aug 01 2002)why? the DMCA is the answer. the DMCA makes it illegal for anyone to “circumvent a technological measure that effectively controls access” to a copyrighted work. it's that simple.

you might ask how did such a heavy-handed law get put into place? it is the same corporations that some folks on this thread have tried to portray as benevolent (interestingly, Disney was one of the most vocal proponents for DMCA).

as if the DMCA isn't bad enough, there are other efforts afoot by whore congresspeople and their corporate benefactors to further place restrictions on digital media. For example, Security Systems Standards and Certification Act (SSSCA/CBDTPA), introduced by Sen. Fritz Hollings, would make a civil offense to creation or selling of any kind of computer equipment that “does not include and utilize certified security technologies” approved by the federal government. According to the current draft, the law would require all digital devices — computers, software, digital audio and video recorders, digital assistants and electronic book readers — to prevent unauthorized copying and playback by using security technologies selected by the Secretary of Commerce. The law would require devices to include all certified technologies, not just one, and would require Internet service providers and web sites to store and transmit data with them, too.

gotta love those corporations, eh?

– by perkypete

DCMA(9:17am EST Fri Aug 02 2002)Hmmmm, this is starting to sound like the Napster – MP3 fight(s) over in another part of the planet. ” I made it, and it's mine, so pay me, or else!”A good friend once pointed out to me that if it were not for certain big monopolies ie Ma Bell, & M$ the internet most likely would not exist, or be so disjointed as to be not very useful. ALmost everyone has a phone line, and almost everyone was ( is?) using DOS, so we all could easily communicate with each other. I don't mind someone, hopefully me, making a profit, but this excassive greed is giving capitalism a bad name. I don't now what all that had to do with anything, but thanks for letting me vent.Oh yeah, with a name like Darwin, I do not have to create some cutsie-pie moniker. Tkanks Dad! – by Darwin